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Abstract —Jamming refers to the deletion, coemption or dam¬ 
age of meter measnrements that prevents their further usage. 
This is distinct from adversarial data injection that changes meter 
readings while preserving their utility in state estimation. This 
paper presents a generalized attack regime that uses jamming of 
secure and insecure measurements to greatly expand the scope 
of common ‘hidden’ and ‘detectable’ data injection attacks in 
literature. For ‘hidden’ attacks, it is shown that with jamming, 
the optimal attack is given by the minimum feasible cut in a 
specific weighted graph. More importantly, for ‘detectable’ data 
attacks, this paper shows that the entire range of relative costs for 
adversarial jamming and data injection can be divided into three 
separate regions, with distinct graph-cut based constructions for 
the optimal attack. Approximate algorithms for attack design are 
developed and their performances are demonstrated by simula¬ 
tions on IEEE test cases. Eurther, it is proved that prevention 
of such attacks require security of all grid measurements. This 
work comprehensively quantifies the dual adversarial benefits of 
jamming: (a) reduced attack cost and (b) increased resilience to 
secure measurements, that strengthen the potency of data attacks. 

I. Introduction 

State Estimation in a vital component for robust control 
of power system and efficient electricity market operations. It 
involves collection of measurements from meters distributed 
across tbe grid that are communicated tbrougb SCADA (Su¬ 
pervisory Control and Data Acquisition) systems and then 
using them for determining tbe system state. Presence of faster 
sampling meters like pbasor measurement units (PMUs) 11 
and Wide-Area Monitoring and Control Systems bas led to 
greater data collection and heightened focus on reliable state 
estimation. This is because these new meters and their digital 
communication expose the grid to adversarial data attacks. 
Adversaries, often cyber in nature, can coordinately change 
meter readings to produce an incorrect state estimate that can 
subsequently result in grid failures and sub-optimal electricity 
prices. In fact, practical adversarial attacks have been widely 
studied in research (‘Aurora’ test attack 0, PMU timing attack 
||5l ) and also reported in national media (cyberspying 0, 
‘Dragonfly’ virus IJl). There has thus been a surge in recent 
research aimed at identifying power grid vulnerabilities and 
designing resilience to adversarial attacks. 

The authors of m were along the first to identify the 
problem of ‘hidden’ data attacks that can change the state 
estimate by bypassing bad-data detection checks at the esti¬ 
mator. The central idea behind ‘hidden’ attacks in 0 is the 
design of a vector of data injections in the column space of 


the measurement matrix used in state estimation. Different 
adversarial goals (Eg. minimizing number of compromised 
measurements, minimum attack energy and cost) and operating 
conditions (Eg. type of measurements, power flow model, 
presence of secure measurements) have led to diverse research 
approaches to the problem of optimal attack construction. 
Eor adversaries interested in minimizing the number of mea¬ 
surement corruptions in a DC-power flow based estimator. 
Cl uses a Iq — li relaxation based framework to design 
the optimal ‘hidden’ attack, while HI uses mixed integer 
linear programming. Eor state estimation relying on voltage 
phasor and line flow measurements (collected from PMUs), 
0, m provide a graph-cut based ‘hidden’ attack framework. 
Similarly, flni discuss conditions for feasible data attack on 
a Kalman-Filter based estimator for AC power flow systems. 
Eor the related problem of preventing data attacks, techniques 
discussed in literature include heuristic scheme CD, greedy 
schemes Cl, ca among others. 

Aside from the mentioned research on ‘hidden’ attacks, 
a recent line of work has analyzed ‘detectable’ data attacks 
that affect state estimation despite failing bad-data detection 
checks. An attacker in this case prevents the bad-data re¬ 
mover from removing some/all of the tempered measurements 
from the system. In this context, reference ifT^ demonstrates 
the construction of a basic ‘detectable’ attack (termed ‘data 
integrity’ attack) by using half of the measurements in the 
optimal ‘hidden’ attack, and by damaging the rest. The state 
estimator here removes only the damaged measurements as 
bad-data while the other half manipulated by the adversary 
passes the bad-data detection test and causes the attack. 
Reference ca generalizes this technique by creating ‘de¬ 
tectable’ attacks from graph cuts that may include a minority 
of incorruptible measurements. This generalization produces 
even greater reduction in attack cost (minimum being 50%) 
over ‘hidden’ attack costs. More importantly, the framework in 
ca produces feasible ‘detectable’ attacks in systems secure 
against all ‘hidden’ attacks. In this paper, we analyze both 
attack regimes: ‘hidden’ and ‘detectable’ for adversaries that 
have an additional tool: measurement jamming. 

By jamming, we refer to any adversarial action that pre¬ 
vents the state estimator from receiving or using a particular 
measurement. Jamming may be conducted by several practical 
techniques including wireless jammers, GPS spoolers, coordi¬ 
nated Denial of Service attack ca or even by physical damage 
to the device, meter and communication equipment M- 


Though jamming attacks have been implemented in research, 
there are few studies analyzing their impact on constructing 
optimal adversarial attacks. References ini and m use 
jamming of flow measurements with attack on breaker statuses 
to design topology attacks on state estimation. The authors of a 
recent paper na have used measurement jamming to design 
‘detectable’ attacks. However, m limits adversarial action 
to insecure measurements and leaves encrypted measurements 
untouched. Though secure/encrypted measurements are indeed 
secure against data injection, they are jammable (Eg. though 
meter damage). Including jamming of secure measurements 
into the attack framework thus generalizes ‘detectable’ and 
‘hidden’ attacks, and enables a complete analysis of the effect 
of jamming on attack cost and grid resilience. This is the 
principal focus of this work. 

We develop a graph-theoretic framework to study gener¬ 
alized ‘hidden’ and ‘detectable’ data attacks by an adversary 
equipped with three techniques. They include: (a) jamming 
and (b) data injection in insecure measurements, and (c) 
jamming of secure measurements. The distinct costs of these 
techniques will depend on the adversarial instruments and 
algorithms used for their implementation and measurement 
security available in the grid. Despite the possible variation 
in exact costs, we show that the design of the optimal attack 
depends only on the relative costs of jamming and injection. 
In particular, we show that 

• for ‘hidden’ attacks, the optimal generalized attack is 
given by the solution to a minimum weight graph-cut 
problem on a weighted graph, for all permissible costs of 
jamming and data injection; 

• for ‘detectable’ attacks, the range of costs for the jam¬ 
ming and data injection tools can be divided into three 
intervals based on their relative values (Fig. |^. In each 
cost region, the optimal generalized attack is constructed 
by solving at most two minimum weight constrained 
graph-cut problems specific to that interval. 

It needs to be mentioned that if jamming is limited to insecure 
measurements, the optimal ‘detectable’ attack is described by 
two cost intervals IISI with one graph-cut problem each, un¬ 
like three cost intervals, each with two optimization problems 
here. As the constrained graph cut problems are in general 
not solvable in polynomial time, we give iterative min-cut 
based approximate algorithms that can be used for attack 
construction. Simulations on IEEE test cases elucidate cost 
improvements produced by our generalized attack framework 
over traditional data attacks. 

The second significant result of this paper states that our 
generalized attacks are feasible even in systems with only one 
insecure measurement. Preventing them requires extending 
security to all measurements. Our attack framework is thus 
more potent than previously studied ‘hidden ’ a. Col and 
‘detectable’ attacks lfT3l . lfT9]l that can be prevented with much 
less number of secure measurements as detailed later. 

The rest of this paper is organized as follows. The next 
section presents a description of the system models used in 
state estimation, bad-data removal and considered adversarial 



tools and attack types. Traditional ‘hidden’ and ‘detectable’ 
attack regimes that involve manipulation of insecure measure¬ 
ments are discussed in Section|I^ Next, our generalized attack 
framework for ‘hidden’ and ‘detectable’ attacks is presented 
in Section along with graph-theoretic formulations to 
study the effect of different adversarial costs on the optimal 
attack design. The algorithms to design the optimal ‘hidden’ 
and ‘detectable’ generalized attacks are given in Section |V] 
Simulations of the proposed algorithms on IEEE bus systems 
for a range of jamming and bad-data injection costs and 


comparisons with existing work are shown in Section |VT 
Finally, concluding remarks are presented in Section VII 


II. State Estimation, Bad-Data Removal & 
Adversarial Action 

The power grid represents a set V of n buses (nodes) 
connected by a set E of \E\ transmission lines (directed 
edges). As an example, the IEEE 14 bus test system ll20l is 
given in Figure 

Measurement Model: We use the DC power flow model 
Ell for the grid in this paper. Here, voltage magnitudes 
are assumed to be constant at unity on all buses and the 
state vector of the system comprises of all bus phase angles 
X G M". Transmission lines are assumed to be perfectly 
inductive (zero resistance) with a diagonal susceptance matrix 
B. We use Xi to denote the phase angle at bus i and Bij to 
denote the susceptance of line We consider a m length 

measurement vector z G K™ that comprises of a) active power 
flows on lines and b) voltage phase angles on buses, collected 
from conventional meters and phasor measurement units in the 
grid. The relation between z and x is given by 

z = ffx + e (1) 

where El is the m x n full-ranked measurement matrix and 
e is a zero mean Gaussian measurement noise vector with 
known covariance E. If the kf’ and entries (rows) in z 
(El) measures the power flow on line {i,j) and the phase angle 
























Fig. 2. State Estimator for a power system ED, Ea 


at node i respectively, then the DC power flow gives 

z{ki) = B^j{x{i) - x{j)), z{k 2 ) = x{i) 

H{ki,:) = [0..0 Bij 0..0 -B,j 0..0] (2) 

i/(/c2,:) = [0..0 1 0..0 0 0..0] (3) 

Without a loss of generality, we introduce a n + 1*^ ‘refer¬ 
ence’ bus with phase angle 0 in the system and accordingly 
append 0 to the state vector x. Note that the phase angle 
measurement at any bus i is equivalent to a flow on a 
hypothetical line of unit conductance between bus i and the 
‘reference’ bus. To represent this, we augment an additional 
column ft,® to matrix H with value —1 for rows representing 
phase angles and 0 otherwise. We thus convert every entry in 
z into a flow measurement given by 


z = Hx= [iT|ft®] 


X 

0 


Note that the augmented measurement matrix has the structure 
of a susceptance weighted graph incidence matrix of rank n. 
From this point, we use x and H to denote the augmented 
state vector and measurement matrices respectively. 

State Estimation; The complete DC state estimator used in 
this paper is given in Figure]^ f2T\ . Il22l . 

The true state estimate x* is generated from measurement 
vector z by a weighted least-square minimizer that mini¬ 
mizes the weighted residual’s magnitude given by J{x,z) = 
||I]“ ®(z — Hx )\\2 over variable x. As shown in Fig. this 
step is followed by a threshold (A) based bad-data detector that 
determines the presence of bad-data by the following test; 

||E“’®(z — ifta ;*)||2 < A accept x* 

> A detect bad-data (4) 


If bad-data is detected, the bad-data remover is called to 
identify and remove bad-data as described below. 

Bad-data Removal: Using basic linear algebra 
El, El, it can be shown that the residual vector 
r = z - Hx* = [I - Based 

on the assumption that probability of bad-data affecting 
greater number of locations is low, the estimator removes 
the minimum number of measurements such that the 
remaining measurements satisfy the bad-data check in 
Eq. 0. The optimal identification and removal scheme 
for multiple incorrect measurements is NP-hard El . ifTSll 
and hence iterative or greedy schemes are used in practice. 


Unless otherwise stated, we assume that the unmanipulated 
measurement vector z is clean and leads to estimation of the 
correct state vector x*. 

Adversarial Tools and Attack Types: Following past work 
in literature, we consider the adversary’s goal to produce a 
non-zero change in the estimated state vector x* using an 
minimum cost attack. In reality, the adversary motivation may 
be economic (Eg. creating sub-optimal prices El) or grid 
instability (Eg. producing/hiding grid failures) or be restricted 
to specific buses (Eg. targeted attacked mi Keeping the 
adversarial goal as changing the state estimate analyzes the 
grid security in the strongest terms, where the grid controller 
is agnostic and gives equal weight to all adversaries. 

We denote the secure set of measurements in z that are 
encrypted against adversarial data injection by S. However, 
measurements in S can suffer from bad-data arising from 
measurement noise. The remaining insecure measurements are 
denoted by set 5"^. As stated in the Introduction, we consider 
three adversarial tools here. Among them, data injection is 
denoted by an additive vector a that modifies the measurement 
vector z to z -I- a. As secure measurements are immune to 
data injection, a{i) = 0 Vi G S. In contrast, jamming can be 
conducted on both secure and insecure measurements and is 
represented by removal of the jammed measurements from z. 
Let pj, Pj‘" and p j denote the costs of data injection, jamming 
insecure measurements, and jamming secure measurements 
respectively. Eurther, a permissible set of costs are assumed 
to follow; 

Assumption 1: pj'' < Pj <Pi 

Note that data injection involves changing meter measurements 
by precisely formatted real values and following communica¬ 
tion protocols to ensure their usage at the state estimator. In 
constrast, jamming can be involved by physical m or cyber 
destruction na of the meter reading. Eurther, an adversary 
equipped with data injection can conduct jamming by inserting 
garbage values into the measurements. Thus, we assume that 
injection cost pi is not less that jamming costs. Secondly, 
jamming a secure measurement can be considered at least 
as costly as jamming an insecure measurement as secure 
measurements are encrypted and may require bypassing the 
resident security features leading to pj" < pj. We assume 
the adversary to know/estimate these costs from the respective 
instrumentation and skills necessary for deployment. We show 
later that the attack construction depends on the relative values 
of these adversarial costs rather than their exact values. 

A feasible attack refers to a successful attack; a feasible 
attack with minimum attack cost is called an optimal attack. 
We use injection attacks to refer to attacks that use data 
injection alone. Eor attacks that additionally use jamming of 
insecure measurements, we use the phrase jamming attacks. 
Attacks proposed in this work that use all three adversarial 
tools are termed generalized attacks. Einally, we prefix the 
attack denotation by its ‘type’. The two types of attacks 
discussed in this paper are defined below. 



















Definition 1. 

‘Hidden’ attack /|6^; This well-studied attack is not detected 
by the bad-data detector. The adversary ensures feasibility by 
manipulating measurements in a way such that the measure¬ 
ment residue remains unchanged. 

‘Detectable’ attack 4721 / . 4771 / ; This attack initially fails 
the bad-data detection test but passes it after the estima¬ 
tor removes bad-data. The adversary ensures feasibility by 
manipulating measurements such that the minimum set of 
measurements that are removed to pass the detection test does 
not include all manipulated measurements. 

In the next section, we describe traditional attack frame¬ 
works (injection attacks and jamming attacks) that operate 
through insecure measurements only. This background will 
help analyze generalized data attacks in subsequent sections. 

III. Data Attacks using insecure measurements 

We analyze both ‘hidden’ and ‘detectable’ traditional (in¬ 
jection and jamming) attacks where the adversary is limited 
to attacking insecure measurements in set S'^. First, we focus 
on injection attacks. 

A. Injection Attacks 

Here, the adversary’s strategy is entirely represented by the 
injection vector a that is added to the measurement vector 
z. As data injection is the only tool available, its cost pi 
does not influence the attack construction. Consider the case 
of a ‘hidden’ injection attack. As mentioned in Definition 
the attack is successful if it doesn’t change the measurement 
residual. If a = He f 0 for some c G this holds as 

\\Y.~-^{z—Hx *)\\2 = \\^~'^{z-\-a—H{x*-\-c ))\\2 and the state 
estimate is modified to x* -+- c. The optimal ‘hidden’ injection 
attack is given by the sparest a in the following 13, ifTOll : 

min |ja||o (H-I) 

c6R"+i-{0} 

s.t. a = He, c{n -I- 1) = 0, a{i) = 0 V/ € S' (S: Secure Set) 

Next, we look at a ‘detectable’ injection attack. By Definition[T] 
and the state estimator’s bad-data removal technique described 
after Eq. it is clear that an injection vector a f Q will 
successfully change the state estimate only if removal of some 
k < ||a||o entries from the measurement vector is sufficient to 
pass the bad-data detection test, while preserving observability. 
We describe the construction of such an injection vector a 
now. For any He f 0, include more than half of the non-zero 
entries in He in a and replace the rest by 0. Observe that 
||a||o > \\He— a||o here. Thus, measurements corresponding 
to the non-zero terms in {He — a) are incorrectly identified 
as bad-data instead of the injected measurements in a. After 
removal of bad-data from measurement vector and elimination 
of corresponding rows from the measurement matrix H, a now 
lies in the column space of the modified measurement matrix 
and a feasible attack is conducted. The optimal measurements 
from He to include in the attack vector a are given by the 


unity terms in the optimal binary vector d of the following 

m, insi: 


min \\d\\o (D-I) 

dGlO.ll^.cGR^+i-fO} 

s.t. e{n -I- 1) = 0, d{i) = OWi G S 

||(/||o > ||i7c||o/2 (for feasibility) (5) 

rank{DH) = n, diag{D) = 1 — (1 — d) * {He)spty 

( 6 ) 

Here, a* b refers to the element-wise multiplication between 
vector a and b, while Ospty denotes the sparsity pattern in 
vector a. In the rank constraint 0, Z) is a 0 — 1 diagonal 
matrix with value of 0 for removed measurements. We now 
describe graph-theoretic solutions for attack construction for 
both attack types. 

Graph-Theoretic Solution; We construct undirected graph 
Gh with n-\-l nodes and edges corresponding to measurement 
rows in H. We denote secure and insecure edges in Gh 
corresponding to secure and insecure measurements in H 
respectively. Due to the unimodular structure of H, it can 
be shown that the optimal solutions of Problems H-I or 
1^ remain unchanged if c is restricted to be a 0 — 1 binary 
vector and H is replaced by the unweighted incidence matrix 
Ah of Gh- In this case, the non-zero terms in Ane in fact 
correspond to a graph-cut in Gh El, ini. Thus, the optimal 
attack design can be stated as a graph cut problem as described 
below; 


Theorem 1. 

m Theorem 2] The optimal ‘hidden’ injection attack in 
Problem H-I is given by the minimum cardinality cut G* in 
Gh with no secure edges. 

m Theorem 2] The optimal ‘detectable’ injection attack in 
Problem D-I is given by any [1 -f 117*1/2] insecure edges in 
G*, where G* denotes the minimum cardinality cut in Gh 
with a minority of secure edges (| (7* 17 5*1 < 117*1/2). 


It follows immediately that the cost of the optimal ‘de¬ 
tectable’ injection attack is never greater than .5 -I- 1/|(7*| 
times the cost of the optimal ‘hidden’ injection attack (7*. 
Next, we add jamming of insecure measurements to the attack 
framework and discuss its implications. 


B. Jamming Attacks 

Here the adversary can jam and remove insecure measure¬ 
ments at a cost pj in addition to injecting data at cost pj. 
Note that for a non-zero change in state estimate, adversary 
should inject data into at least one insecure measurement. The 
design of the optimal ‘hidden’ jamming attack is given by; 

Theorem 2. The optimal ‘hidden’ jamming attack for all 
permissible pi and Pj is constructed by injecting data into 
one edge and jamming the remaining edges in the minimum 
cardinality cut in Gh with no secure edges. 

Brief Proof steps; Using Theorem and < pj, it 
is clear that the least cost ‘hidden’ jamming attack designed 





using the optimal ‘hidden’ injection attack is given by Theo¬ 
rem 1^ Its global optimality can be proved by contradiction. 

Now we look at ‘detectable’ jamming attacks as discussed 
in US). Consider a cut C in graph Gh with tiq and Uq 
secure and insecure edges respectively, with Uq > Uq. Using 
Theorem [2 C is feasible for a ‘detectable’ injection attack. If 
the adversary jams fcj < Uq — insecure measurements 
in C, the remaining \C\ — fcj measurements still constitute a 
feasible cut with a majority of insecure edges. The adversary 
can thus inject data into [1 + J insecure edges in C 

to conduct a successful ‘detectable’ jamming attack of attack 
cost given by 

c s=,c M \C\-kS , 

=Pj fcj +P/U+ 2 ^ 

= (,f _ „ |C|+2-(|C|-t?) n,od2 

( 7 ) 


Note that if p< pj /2 the attack cost p'^ of cut C decreases 
with increasing k’j and is lowest at fcj = — Uq — 1. 

Similarly, it can be shown that for pj > pi/2, the attack cost 
is minimum at fcj = 1 — \C\ mod 2. Using these values of 
fcj in the Eq. (j^ for attack cost leads to the following result 
on optimal attack design. 


Theorem 3. /ITP] Theorem 2] The construction of the optimal 
‘detectable ’ jamming attack with jamming cost pj and data 
injection cost pi for insecure measurements is given by: 

1. Pj < pi/2: Give weights of pi — pj and pj to secure 
and insecure edges respectively in Gjj and find the minimum 
weight cut G* with Hq, < |C*|/2 secure edges. Use 1 + 
Uq, insecure edges for bad-data injection and jam the other 
insecure edges. 

2- Pj > Pil‘2‘t Find the minimum cardinality cut G* with a 
minority of secure edges in Gh- Use insecure edges 


for data injection and jam (1 — \G* 


2 

mod 2) insecure edges. 


A detailed derivation of Theorem is given in US). The 
main argument is also elucidated through the example in 
Fig. 0 To conclude, the range of permissible relative costs 
for jamming insecure measurements is thus separable into 
two intervals with distinct designs for optimal ‘detectable’ 
jamming attack. 

In the next section, we present our generalized attack 
framework that allows jamming (not data injection) of secure 
measurements by the adversary. 


IV. Data Attacks with Jamming secure 

MEASUREMENTS 

The adversary in this case has three tools (jamming se¬ 
cure measurement, jamming insecure measurement, and data 
injection in insecure measurement) with distinct costs per 
measurement (pj,pj , and p/). From Assumption 1, we have 
Pj ^ Pj ^ Pi- The introduction of jamming of secure 
measurements creates major changes in the adversarial strategy 
as it relaxes the feasibility requirements for both ‘hidden’ and 
‘detectable’ attacks as noted below. 
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Fig. 3. Effect of jamming cost pj and data injection cost pj on 
the minimum ‘detectable’ jamming attack C* derived from a cut C \vith 
n^(< |C|/2) secure and insecure edges. Secure edges in the cut are 
colored red while untouched, jammed and injected insecure edges are colored 
white, blue and green colors respectively. When p^ < pi/2, attack cost can 
be reduced by replacing one data injection with jamming two measurements 
as shown in the cuts on the left of C. For pj > pi 12, attack cost is 
reduced by replacing two jammed measurements by one measurement with 
data injection while leaving the other untouched as shown on the right side of 
cut C. Optimal attacks C* got from this replacement are given by Theorem]^ 


A. ‘Hidden* Generalized Attacks 

Theorem [T] and |2] states that feasible cuts for ‘hidden’ 
injection and jamming attacks cannot include any secure edge. 
With the ability to jam secure measurements, this is no longer 
necessary. Consider a cut G with Uq secure and > 0 
insecure edges. If all nf- secure edges are removed by jam¬ 
ming, the remaining cut can provide a ‘hidden’ attack where 
one insecure edge is used for data injection and the rest are 
jammed. The total attack cost is Pjn^ +Pj n-c + (Pi ~Pj )■ 
The optimal attack is thus given by: 

Theorem 4. Give weights of pj and pj to secure and 
insecure edges respectively in Gh ond find the minimum 
weight cut G* with non-zero number of insecure edges. The 
optimal ‘hidden’ generalized attack is constructed by using 
one insecure edge in G* for data injection and jamming the 
remaining cut-edges. 

Note that the optimal attack design here has the same form 
for all relative values of jamming and injections costs. Next, 
we look at ‘detectable’ generalized attacks. 

B. ‘Detectable ’ Generalized Attacks 

We study how the design of a ‘detectable’ attack changes 
when jamming of secure measurements is allowed. To do so, 
we consider a cut C in graph Gh with Uq secure and nf- 
insecure edges. We can have two cases for G: A) Uq < Uq 
and B) Uq > Uq . Theorem and state that to conduct 
a successful ‘detectable’ injection or jamming attack, the 
adversary requires graph-cuts with a majority of insecure 
edges (Case A). Thus, we have 























Lemma 1. A ‘detectable’ generalized attack can be con¬ 
structed from cut C having secure and Uq insecure 
edges if Uq > 0 and the adversary initially jams > 
[riQ — Uq + 1 ]'*’ secure cut-edges, where [a]'*" = max{ 0 , a}. 

This step ensures that after removal of Hq jammed secure 
measurements, the remaining cut has a majority of insecure 
edges as shown in Fig. Further, jamming of secure edges 
can lead to a reducing in attack cost as well. For example, 
if pj + Pj < Pi, a feasible cut C’s data injected insecure 
edge can be replaced with jamming of two edges in C, one 
secure and another insecure to lower the attack cost. This is 
demonstrated by the cut on the right side in Fig. 



P 7 / 2 ] in Theorem]^ For Case B (n^ > n^), the optimal 
equals tiq — + 1. The attack cost thus reduces to 

= Pjinc - + 1) + Pine (using Eq. 

= Pjnc + (Pi - Pjhc + Pj (9) 

Excluding the constant term, this optimal attack cost for C in 
Case B is equal to its cut-weight if secure and insecure edges 
are given weights pj and p/ — pj respectively. 

As Gh has cuts in both Case A and Case B, the optimal 
‘generalized’ attack selects the minimum cost one among the 
optimal attacks for Cases A and B. This is summarized below: 

Theorem 5. The optimal ‘detectable’ generalized attack in 
Gh for the cost interval [p^f > pi/2] HIFj ^ Pi/“A given 
by the minimum cost attack among the optimal solutions of 
the following two graph optimization problems: 

Problem 1-A. Find the minimum cardinality feasible cut G* 
in Gh with a minority of secure edges. Use [(1 -f |C'*|)/2J 
insecure edges for bad-data injection and jam (1 — 1(7*1 
mod 2 ) insecure edges. 

Problem I-B. Give weights of pj and pi — pj to secure 
and insecure edges respectively in Gh and find the minimum 
weight cut G* with {uq, > |(7*|/2) secure edges and 
[uq, > 0) insecure edges. Inject data into all insecure edges 
and jam {uq, -f 1 — nf,,) secure edges. 

Next we analyze cut C with secure and tiq > 0 
insecure edges in the second cost interval. 


Secure, t \ . / t Insecure, / ^ Insecure, t t Insecure, 

untouched L \ injected 1 ] Jammed 1 I Jammed I i untouched 

Fig. 4. Effect of jamming secure measurements on design of ‘detectable’ 
generalized attacks. The cut on the left is infeasible due to a minority of 
insecure edges. Jamming secure measurements leads to a feasible cut in the 
middle. Finally for < pj, attack cost can be reduced by replacing 

one data injected edge with two jammed edges (one secure and one insecure). 

To analyze the effect of jamming cost for secure edges, 
we follow the approach in Theorem]^ We aim to determine 
the optimal ‘detectable’ generalized attack strategy over 
different range of costs for p/,Pj and pj . We begin with 
the following cost interval. 


Cost Interval II: [pj'’ < P 7 / 2 ] +Pj° ^ Pi] 

By Lemma the adversary initially jams k^ > 
[riQ — riQ + 1 ]"'’ secure cut-edges leaving {nf, — kf,) 
secure and insecure edges. As p^f < pi/2, the minimum 
cost attack constructed from the remaining edges includes 
data injection into Uq — k^ -\- 1 measurements and jamming 
the rest of the insecure measurements (see Theorem]^. This 
gives an attack cost of: 

P^ = Pjfcp -I- pi{nQ — k^ -\-1) -\-pj {uq — -\- kQ — 1) 

= {P^j + Pf - Pi)kc + {Pi-Pf)inc + ^)+pf nc 

( 10 ) 



Cost Interval > P//2] flbj — Pi!A 
Using Theorem^ for p^f > pi/2, the minimum cost attack 
using the remaining |(7| — edges is constructed by injecting 
data into and jamming (1 — (|(7| — k^) mod 2) 

insecure edges. The total cost is given by: 


As pj -\-Pj > Pi, the attack cost in Eq. (lOi increases with 
kf,. The minimum attack cost is thus attained for Case A 




< n‘1 


‘c I _ '*c 
k^ = Uq — n, 

by: 


) at = 0, and for Case B (n^ > n^) at 


^ -L 1. The corresponding attack costs are given 


mod 2) ^ (for Case A) (11) 

p'^ = Pj{nc + 1) + {Pi - Pj)nc (for Case B) (12) 


p^ = pjk$ + PI (1 _ (Id - k$) 

( 8 ) 

As pj > 07 / 2 , we note that p*^ is increasing with k^. Using 
Lemma In the minimum cost is achieved at k^ = —-f 

1]+. For Case A (tiq < n^), this gives k^ = 0 (no jamming 
of secure measurement), and the optimal attack is identical in 
structure to the optimal ‘detectable’ jamming attack for [pj'’ > 


Observe that in either case, ignoring additive constants, the 
optimal attack cost is given by the cut-weight of G with 
distinct weights for secure and insecure measurements. We 
can thus determine the optimal ‘detectable’ generalized attack 
in this interval as follows: 





























Theorem 6. The optimal ‘detectable’ generalized attack in 
Gh for the cost interval \p^f < p//2]p|[pj + P> Pi\ is 
given by the minimum cost attack among the optimal solutions 
of the following two graph optimization problems: 

Problem II-A. Give weights of pi — pj and pj to secure 
and insecure edges respectively in Gh and find the minimum 
weight cut G* with (uq, < \G*\/2) secure edges. Inject data 
into {tiq, -b 1 ) insecure edges and jam the other insecure 
edges. 

Problem II-B. Give weights of pj and pj — pj to secure 
and insecure edges respectively in Gh and find the minimum 
weight cut C* with (n^t > |C*|/2) secure edges and 
[tiq, > 0) insecure edges. Inject data into all insecure edges 
and jam + 1 — ) secure edges. 

Finally, we look at cost interval III with low jamming costs. 



Cost Interval III; [pj’= < pi /2] fj [pj + p^f < pf 
As p^f < Pi 12 constraint is common to Interval II, the 
preliminary analysis here is identical to the discussion 
preceding Eq. and leads to the following attack cost; 

P^ = {P^j+Pf -Pi)k$ + (pi-pfKn^ + l)+pTn$^ 

(13) 

where > [n^ — + 1 ]^ is the number of jammed 

secured measurements. Observe that the attack cost decreases 
on increasing in this Interval. The minimum attack cost is 
thus obtained when = maxk^ = for both Cases A 
and B. The optimal attack cost for cut G is given by; 

pC = pjn$ + pfn^c + {Pi - Pf) (for Cases A, B) (14) 

which is an additive constant away from C’ cut-weight if 
secure and insecure edges are given weights pj and pj re¬ 
spectively. The optimal ‘detectable’ generalized attack design 
is given by the following theorem. 

Theorem 7. The optimal ‘detectable’ generalized attack in 
Gh for the cost interval [pj‘= < p//2]P|[pj + Pj° < pi] 
is given by the optimal solution of the following graph 
optimization problem: 

Problem III. Give weights ofpj and pj to secure and insecure 
edges respectively in Gh and find the minimum weight cut C* 
with non-zero insecure edges. Inject data into one insecure 
edge and jam all other secure and insecure edges. 

To summarize, the design of the optimal ‘detectable’ gen¬ 
eralized attack can be divided into three intervals that cover 
the entire range of permissible jamming and data injection 
costs as shown in Fig. In Internals I (Theorem and II 
(Theorem |^, the optimal attack is given by the minimum 
of two constrained graph-cut problems, while in Interval III 
(Theorem |^, it is given by the solution of a single problem. 
The following points are worth noting. 

1) Problems I-A and II-A pertaining to Case A in Intervals 
I and II are identical to the sub-problems for designing 
optimal ‘detectable’ jamming attacks in Theorem]^ 


Fig. 5. Separation of the range of relative costs for jamming secure (pf) and 

O 

insecure iv measurements into intervals with distinct formulations for opti- 
mal ‘detectable’ generalized attack. Interval I denotes [py^ > pi/2] HlPj ^ 
Pll‘2\, Interval II denotes [p^y < pil‘2\ fjlPj f pA Interval III 

denotes [pj'’ < pi 12] Hipf + P^fi < Pl\- The fourth interval pj < pj'’ is 
not permissible by Assumption 1. 


2) Problems I-B and II-B pertaining to Case B in Intervals 
I and II are identical. 

3) Problem III in Interval III is identical to the problem 
of designing optimal ‘hidden’ generalized attacks in 
Theorem U 


The first two observations arise from the constraint pj fpj’’ > 
Pi in Intervals I and II. This constraint restricts the optimal 
number of jammed secured measurements at the minimum 
necessary for feasible attack construction, which is 0 for cuts 
with majority of insecure edges. Thus Problems I-A and II- 
A are similar to the ones in Theorem 1^ For Interval III, the 
constraint pj -f p y < pi implies that the attack cost can 
be reduced by replacing data injection at one measurement 
with jamming of a pair of insecure and secure measurements 
or jamming two insecure measurements. Thus, the optimal 
‘detectable’ generalized attack in Interval III includes only one 
measurement with data injection and is identical to the optimal 
‘hidden’ generalized attack in Theorem 
For all permissible costs as per Assumption 1, the reduction 
in attack cost as a result of jamming is shown through sim¬ 
ulations in Section VI In addition, the next theorem presents 
the threat to grid resilience posed by generalized attacks. 


Theorem 8. 

1. A system is vulnerable to generalized data attacks (both 
‘hidden’ and ‘detectable’} even if it contains only one insecure 
measurement. 

2. Addition of new secure measurements alone does not prevent 
generalized attacks. 

Proof: Consider the graph Gh- As mentioned in Theo¬ 
rems 0|5]@and0 a feasible generalized attack requires a cut 
in Gh with non-zero number of insecure edges. Such a cut 







does not exist only if all measurements are secure. Hence the 
first statement holds. Addition of new secure measurements 
can increase the attack cost of a cut but does not change its 
feasibility. Hence the second statement holds. ■ 

It follows from Theorem that the prevention of general¬ 
ized attacks needs all existing insecure measurements to be 
replaced with secure ones, rather than addition of new secure 
measurements. This is a much stricter requirement than that 
for traditional ‘hidden’ and ‘detectable’ attacks which can be 
prevented by adding n and 0(m/2) new secure measurements 
respectively Qol, M- Here, n is the number of buses (ex¬ 
cluding ‘reference’ bus) and m is number of measurements in 
the grid. Thus, our generalized attack framework undermines 
grid resilience to data attacks and cyber adversaries beyond 
previously studied attack models. In the next section, we 
comment on the hardness of designing generalized data attacks 
and develop approximate iterative algorithms to solve them. 

V. Algorithm For Generalized Attack 
Construction 

Consider the graph Gh with sets S and of secure and 
insecure edges respectively. The adversary is assumed to know 
the costs associated with jamming an insecure measurement, 
jamming a secure measurement and injecting data into an 
insecure measurement, given by pj ,pj and pi respectively. 
We first discuss algorithm for designing ‘hidden’ generalized 
attacks. 

‘Hidden’ generalized attacks; By Theorem]^ the optimal 
attack of this type is given by the minimum weight cut C* with 
non-zero insecure edges in Gh, where secure and insecure 
edges have weight pj and pj respectively. Algorithm 1 
outputs the optimal attack. 


Algorithm 1 Optimal ‘Hidden’ Generalized Attack Design 
Input: Graph Gh, Set S {S'^) of secure (insecure) edges with 
edge-weights pj (pj°) 

I: z ^ 1, w oo 

2 : while i < IS"^! do 

3: Pick edge (s, t) in S^. 

4: C 3— minimum weight ‘s — C cut separating s and t in 

Gh 

5: if tu > C’s weight then 

6 : tu 3— C’s weight, Gf <— G 

7: end if 

8 : i ^ i + 1 

9: end while 

10 : Use Gf for optimal attack in Theorem 


Working and Complexity: In each iteration of the While 
Loop (Step|^, Algorithm 1 picks an insecure edge in S‘^ and 
finds the minimum weight cut C that contains it. The feasible 
cut Cf is updated if the cuiTent cut G has lower weight. 
At the end of the iteration, the optimal attack is constructed 
by injecting data into one insecure edge and jamming the 
rest of the edges in Gf. Since, minimum ‘s — f cut can 


be computed using max-flow algorithm in 0{nm\og{n?'/m)) 
time Ea, Algorithm 1 has polynomial time complexity of 
0{\S'^\mnlog{n'^/m)). Here n and m are number of nodes 
and edges in graph Gh- 

‘Detectable’ generalized attacks; As analyzed in the pre¬ 
vious section, the relative values of costs of jamming and 
data-injection change the design of ‘detectable’ generalized 
attacks. Attack construction in Interval III is identical to that 
of ‘hidden’ generalized attacks and is solved in polynomial 
time by Algorithm 1. Here, we discuss the construction of 
attacks in Intervals I ([Pj" > Pi/2]f][pj > m/2]) and II 
([pj'’ < P//2] niPj + P/ ^ Pi])- Theorems and state 
that in either interval, the optimal ‘detectable’ generalized 
attack is determined by solving two constrained graph-cut 
problems on Gh- In each of these problems (I-A, I-B, II- 
A and II-B), the constraint involves finding a cut G in Gh 
of Case A(np < |C'|/2) or Case B(np > |C|/2) where Uq 
is the number of secure edges in the cut. Reference im 
states that finding a cut where edges of one kind are in 
majority is equivalent to the NP-hard ‘ratio-cut’ problem ll24l . 
Thus, determining the optimal ‘detectable’ generalized attack 
in Intervals I and II is NP-hard in general. 

Now, we provide an approximate algorithm (Algorithm 
2 ) for solving constrained graph-cut problems of the form 
included in Theorems and Algorithm 2 is a generalization 
of an iterative min-cut based algorithm in lfT9l , with additional 
constraints. The exact weights for secure and insecure edges 
and constraint (Case A or B) are specified by the particular 
problem being solved. 

Working and Complexity: We describe Algorithm 2 with 
graph-cut constraint specified by Case A (jiq < \G\/2). The 
analysis for Case B follow in a similar way. The edge-weights 
of secure and insecure edges are specified by Problem I-A or 
II-A. Step computes the minimum weight cut C in Gh and 
checks if it satisfies the cut constraint in Case A (Step |^. 
If the constraint is not satisfied, one secure edge is selected 
randomly in G and its edge-weight is increased by (3 (Stepl^. 
Here /3’s value is taken as either oo or the secure edge-weight 
for Case A (insecure edge-weight for Case B). Following this, 
the minimum weight cut is recomputed and checked to see if 
the cut constraint is satisfied. This process is iterated until 
a feasible cut is obtained or the cut-weight grows beyond 
threshold 7, at which point the algorithm declares no solution. 

We discuss the complexity for j3 = 00 and Case A. 
Here, the algorithm computes a maximum of jS”] min-cut 
computations, one for each secure edge. Since each min- 
cut can be computed in 0(|n||TO| -f |nplog|n|) time ES], 
Algorithm 2 has a worst-case computational complexity of 
0(|S'||n||TO| -f |S'||np log jnj) for constraint specified by Case 
A. 

It needs to be noted that the finding the existence of a 
feasible cut of Case A or B is NP-hard m and hence 
obtaining the optimal cut is NP-hard as well. Thus, Algorithm 
2 for optimal attack construction is approximate and may not 
return a solution for all system configurations. Determining the 
approximation gap of Algorithm 2 will depend on approxima- 








Algorithm 2 ‘Minimum Weight Constrained Graph-Cut Con¬ 
struction_ 

Input: Graph Gh, Set S and S'^ of secure and insecure 
edges respectively, edge weights and Case (A or B) given by 
problem (I-A, I-B, II-A or II-B), /3 ,7 

1 : Compute min-weight cut C in Gh 
2 : wc C”s weight 
3: if Case A then 

4: while {wc < 7)&&(2|C'n S'! > |C|) do 

5: Pick is C Pi S', increase weight by 

6 : Compute min-weight cut G in Gh 

7: Wc ^ G’s weight 

8 : end while 

9: if 21(7 psi < ICI then 

10 : Construct attack for Problem using G 

11 : else 

12 : Declare no solution 

13: end if 

14: else 

15: while (wc < 7 )&&(|C'nS^| = 0or2|C'nS'=| > 

|C|) do 

16: if |C P S°| = 0 then 

17: Pick i S C P S, increase weight by 00 

18 : else 

19: Pick i G C f] S'^, increase weight by /3 

20 : end if 

21 : Compute min-weight cut G in Gh 

22 : Wc <— G’s weight 

23: end while 

24: if 21(7ps-^l < ICI then 

25: Construct attack for Problem using G 

26: else 

27: Declare no solution 

28: end if 

29: end if 


lions of the ratio-cut problem for feasibility and additionally 
on reducing the cut-size for optimality. In the next section, 
we present simulation results to justify the good performance 
of Algorithm 2 in designing optimal ‘detectable’ generalized 
attacks. 

VI. Results on IEEE test systems 

We discuss the performance of Algorithm 1 and Algorithm 
2 in designing ‘hidden’ and ‘detectable’ generalized attacks by 
simulations on IEEE 14-bus and 57-bus test systems ||20l. In 
each simulation run, we put flow measurements on all lines and 
phase angle measurements on 60% (randomly selected) of the 
system buses. We vary the fraction of secure measurements 
in either system, and observe its effect on average cost of 
constructing data attacks as specified by Theorems BlUIll 
and We first consider Algorithm 1 that gives the optimal 
‘hidden’ generalized attack as well as ‘detectable’ generalized 
attack in Interval III. Here, the costs of jamming insecure 


and secure measurements are taken respectively as .25 and 
.5 relative to the cost of injecting data into an insecure 
measurement, respecting the inequality in Assumption 1. Eig.[^ 
presents the trends in average costs of ‘hidden’ injection, 
‘detectable’ injection and ‘hidden’ generalized attacks for the 
IEEE 14-bus and 57-bus test systems for configurations where 
‘hidden’ injection attacks are feasible. It is clearly observed 
that adding jamming to the adversarial tools reduces the cost 
of ‘hidden’ attacks greatly. In fact ‘hidden’ generalized attacks 
are less expensive than ‘detectable’ injection attacks which on 
average cost less than 50% of the cost of ‘hidden’ injection 
attacks ifTSll . 

Next we consider Algorithm 2 and use it to generate ‘de¬ 
tectable’ generalized attacks in Intervals I and II (see Eig. [^. 
Eor Intervals I and II specified in Eig. the relative costs of 
jamming an insecure measurement are respectively taken as 
.6 and .25 times the cost of data injection. The relative cost 
of jamming a secure measurement to that of data injection 
into an insecure measurement is taken as .8 in both intervals, 
as per Assumption 1. To show the adversarial advantage 
of jamming secure measurements, we compare the average 
costs of ‘detectable’ generalized (DG) attacks with that of 
‘detectable’ jamming (DJ) attacks in each case. Eig. [^presents 
the average DG and DJ attack costs for the IEEE 14-bus and 
57-bus test systems in cases with feasible ‘hidden’ injection 
attacks. It can be observed that though jamming of secure 
measurements reduces the average attack costs, its effect is 
more pronounced in Interval I where cost of jamming an 
insecure measurement is higher. Similarly, Eig.|7]demonstrates 
the trends in average DG and DJ attack costs for the same 
systems, but by considering cases with feasible ‘detectable’ 
injections attacks. Even in this case, the cost improvement in 
DG over DJ attacks is greater in Interval I. 

Note that the rise in attack cost with increase in the fraction 
of secure measurements in the system is greater in Eig. 
than in Eig. 1^ and Eig. [7] This disparity is due to the fact 
that in Eigs. |^and|7] we only record attack costs for system 
configurations with feasible ‘hidden’ injection attacks. As the 
number of such configurations decreases rapidly with increas¬ 
ing number of secure measurements, we end up averaging over 
fewer configurations leading to lower recorded average attack 
costs. The number of feasible configurations for ‘detectable’ 
injection attacks does not decrease as rapidly, hence Eig. has 
cost curves with steeper slopes in general. 

VII. Conclusion 

We introduce ‘generalized’ data attacks on state estimation 
in this paper. In our attack framework, an adversary uses 
three tools with distinct costs: jamming of encrypted (se¬ 
cure) measurements, data injection and jamming of insecure 
measurements to optimize the cost and expand the scope of 
traditional data attacks in literature. We consider both ‘hidden’ 
and ‘detectable’ data attacks and present novel graph-cut based 
formulations for construction of optimal generalized attacks 
of each type. We show that the optimal ‘hidden’ attack with 
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Fig. 6. Average cost of ‘hidden’ injection, ‘detectable’ injection and ‘hidden’ 
generalized attacks (when ‘hidden’ injection attack exists) produced by 
Algorithm 1 on the IEEE 14 and 57 bus test systems with flow measurements 
on all lines, phasor measurements on 60% of the buses and protection on a 
fraction of measurements selected randomly. The cost of data injection (pj) 
is taken as 1. The costs of jamming an insecure measurement {pj ) and a 
secure measurement (Pj) are taken as .25 and .5 respectively. 


Fig. 8. Average cost of ‘detectable’ generalized (DG) and ‘detectable’ jam¬ 
ming (DJ) attacks (when ‘detectable’ jamming attack exists) in Cost Intervals I 
and II produced by Algorithm 2 (with finite /3) on the IEEE 14 and 57 bus test 
systems with flow measurements on all lines, phasor measurements on 60% 
of the buses and protection on a fraction of measurements selected randomly. 
In Interval I and II, the costs of jamming an insecure measurement are taken 
as .6 and .25 respectively. The costs of jamming a secure measurement and 
data injection are taken as .8 and 1 respectively in both intervals. 
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Fig. 7. Average cost of ‘detectable’ generalized (DG) and ‘detectable’ 
jamming (DJ) attacks (when ‘hidden’ injection attack exists) in Cost Intervals I 
and II, produced by Algorithm 2 (with finite 0) on the IEEE 14 and 57 bus test 
systems with flow measurements on all lines, phasor measurements on 60% 
of the buses and protection on a fraction of measurements selected randomly. 
In Interval I and II, the costs of jamming an insecure measurement are taken 
as .6 and .25 respectively. The costs of jamming a secure measurement and 
data injection are taken as .8 and 1 respectively in both intervals. 


entire range of relative costs for data injection and jamming of 
secure and insecure measurements can be divided into three 
separate intervals, each with distinct ‘constrained graph-cut’ 
based optimal attack construction. We present approximate al¬ 
gorithms that use iterative min-cut computations to determine 
the optimal ‘detectable’ attack in each interval. Due to the abil¬ 
ity to jam secure measurements, our generalized framework 
has very relaxed constraints on attack feasibility compared 
to traditional models. This reduces the cost of ‘hidden’ and 
‘detectable’ attacks as well as increases adversarial immunity 
against grid security. Specifically, we show that our general¬ 
ized data attacks are even feasible for systems with a single 
insecure measurement and hence are not prevented by adding 
new secure measurements. We present simulation results of 
our proposed attack framework on IEEE test cases for different 
costs of adversarial tools and discuss the performance of our 
algorithms. Jamming of secure measurements indeed severely 
weakens grid security by reducing attack cost and expanding 
attack feasibility significantly over that of traditional data 
attacks. Techniques to efficiently prevent generalized attacks 
by improving state estimation and theoretical analysis of 
the performance of our designed approximate algorithms are 
directions of our future work in this domain. 


adversarial jamming is given by the minimum weight graph- 
cut where the edge-weights for secure and insecure measure¬ 
ments are based on the costs of jamming and data injection 
in the system. We prove that the optimal ‘hidden’ attack with 
jamming is exactly constructed using a polynomial time min- 
cut based algorithm. Eor ‘detectable’ attacks, we show that the 
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